Azure Load Balancer - Network Specialty Certification Guide

🎯 Map Requirements to Features and Capabilities

graph TB A[Business Requirements] --> B[High Availability] A --> C[Scalability] A --> D[Performance] A --> E[Security] A --> F[Cost Optimization] B --> B1[Health Probes] B --> B2[Multiple Backend Pools] B --> B3[Availability Zones] C --> C1[Auto Scaling Integration] C --> C2[Dynamic Backend Management] C --> C3[Session Persistence] D --> D1[Load Distribution Algorithms] D --> D2[Connection Draining] D --> D3[TCP/UDP Load Balancing] E --> E1[Network Security Groups] E --> E2[Private/Public Frontend] E --> E3[SSL Offloading] F --> F1[Basic vs Standard SKU] F --> F2[Regional vs Global] F --> F3[Resource Optimization] style A fill:#e1f5fe style B fill:#f3e5f5 style C fill:#e8f5e8 style D fill:#fff3e0 style E fill:#fce4ec style F fill:#f1f8e9

High Availability Features

Health Probes: HTTP, HTTPS, TCP probes to monitor backend health
Availability Zones: Zone-redundant and zonal deployments
Automatic Failover: Instant traffic redirection on failure
SLA: 99.99% availability for Standard SKU

Load Distribution

5-tuple hash: Source IP, Source Port, Destination IP, Destination Port, Protocol
Source IP affinity: 2-tuple or 3-tuple distribution
Equal distribution: Round-robin across healthy backends
Weighted distribution: Custom traffic weights per backend

Network Capabilities

Layer 4 Load Balancing: TCP and UDP traffic
Port Forwarding: Inbound NAT rules
Outbound Connectivity: SNAT for backend VMs
IPv6 Support: Dual-stack load balancing

Security & Monitoring

NSG Integration: Network security group rules
Azure Monitor: Metrics and diagnostic logs
Resource Health: Real-time health status
Private Endpoints: Secure backend communication

🔧 Appropriate Use Cases for Azure Load Balancer

graph LR A[Use Cases] --> B[Web Applications] A --> C[Database Clusters] A --> D[Microservices] A --> E[Legacy Applications] B --> B1[Multi-tier Apps] B --> B2[E-commerce Sites] B --> B3[Content Delivery] C --> C1[SQL Server AlwaysOn] C --> C2[MySQL Clusters] C --> C3[NoSQL Databases] D --> D1[Container Workloads] D --> D2[API Gateways] D --> D3[Service Mesh] E --> E1[Mainframe Integration] E --> E2[Custom TCP/UDP Apps] E --> E3[Gaming Servers] style A fill:#e3f2fd style B fill:#e8f5e8 style C fill:#fff3e0 style D fill:#f3e5f5 style E fill:#fce4ec

🌐 Web Application Load Balancing

Scenario: Multi-tier web application with frontend web servers

Configuration: Public Load Balancer with HTTP/HTTPS health probes

Benefits: High availability, automatic scaling, SSL termination

🗄️ Database High Availability

Scenario: SQL Server AlwaysOn Availability Groups

Configuration: Internal Load Balancer with TCP health probes

Benefits: Transparent failover, connection persistence, zone redundancy

🔄 Microservices Architecture

Scenario: Container-based microservices with dynamic scaling

Configuration: Multiple backend pools with custom health probes

Benefits: Service discovery integration, blue-green deployments

🎮 Gaming and Real-time Applications

Scenario: UDP-based gaming servers or real-time communication

Configuration: UDP load balancing with TCP health probes

Benefits: Low latency, session affinity, global load balancing

💡 Best Practice: Choose Internal Load Balancer for backend services and Public Load Balancer for internet-facing applications. Consider Application Gateway for Layer 7 features like URL routing and WAF.

📊 Choose Azure Load Balancer SKU and Tier

graph TD A[SKU Selection Decision Tree] --> B{Application Scope} B -->|Single Region| C{Performance Requirements} B -->|Multi Region| D[Standard SKU + Global Load Balancer] C -->|Basic Needs| E{Budget Constraints} C -->|High Performance| F[Standard SKU] E -->|Cost Sensitive| G[Basic SKU] E -->|Production Ready| H[Standard SKU] F --> I[Standard Features] G --> J[Basic Features] H --> I D --> K[Global Features] I --> I1[SLA 99.99%] I --> I2[Availability Zones] I --> I3[Outbound Rules] I --> I4[Multiple Frontend IPs] J --> J1[No SLA] J --> J2[Single AZ] J --> J3[Default SNAT] J --> J4[Single Frontend IP] K --> K1[Cross-region Load Balancing] K --> K2[Global Anycast IP] K --> K3[Health-based Routing] style A fill:#e1f5fe style G fill:#c8e6c9 style F fill:#bbdefb style D fill:#d1c4e9

Basic SKU

💰 Cost-Effective Choice

✅ Free tier available
✅ Simple load balancing
✅ Basic health probes
❌ No SLA guarantee
❌ Single availability zone
❌ Limited to 300 instances
❌ No metrics/diagnostics

Best for: Development, testing, proof-of-concept

Standard SKU

🚀 Production Ready

✅ 99.99% SLA
✅ Availability zone support
✅ Up to 1000 instances
✅ Advanced health probes
✅ Outbound rules control
✅ Multiple frontend IPs
✅ Rich metrics & diagnostics

Best for: Production workloads, mission-critical apps

Gateway Load Balancer

🔒 Network Appliance Integration

✅ Transparent network appliance insertion
✅ Chaining with 3rd party NVAs
✅ GENEVE encapsulation
✅ High performance (up to 50 Gbps)
🔄 Maintains flow stickiness
🔄 Scale out/in NVAs

Best for: Security appliances, inspection, filtering

⚠️ Important: Basic and Standard SKU resources cannot be mixed. Once deployed, you cannot change SKU types - you must recreate the load balancer.

Feature	Basic	Standard	Gateway
Backend pool size	Up to 300	Up to 1000	Up to 1000
Availability zones	❌	✅	✅
SLA	None	99.99%	99.99%
Health probes	HTTP, TCP	HTTP, HTTPS, TCP	HTTP, HTTPS, TCP
Outbound rules	❌	✅	✅
Multiple frontends	❌	✅	✅
Diagnostics	❌	✅	✅

💻 Azure CLI Configuration

graph TB RG[Resource Group
rg-loadbalancer-prod] --> VNET[Virtual Network
vnet-prod
10.0.0.0/16] VNET --> SUBNET1[Web Subnet
subnet-web
10.0.1.0/24] VNET --> SUBNET2[DB Subnet
subnet-db
10.0.2.0/24] PIP[Public IP
pip-lb-prod
Standard SKU
Zone Redundant] --> LB[Public Load Balancer
lb-web-prod
Standard SKU] LB --> FE[Frontend IP Config
frontend-web
Public IP Association] LB --> BE[Backend Pool
backend-web
VM Collection] LB --> PROBE[Health Probe
health-probe-http
HTTP:80/health] LB --> RULE[Load Balancing Rule
rule-http
Port 80→80] LB --> OUT[Outbound Rule
outbound-rule
SNAT Configuration] NSG[Network Security Group
nsg-web-servers] --> NSGRULE1[Allow HTTP:80] NSG --> NSGRULE2[Allow HTTPS:443] AVSET[Availability Set
avset-web
2 Fault Domains] VM1[Virtual Machine
vm-web-01
Zone 1] --> NIC1[Network Interface
vm-web-01VMNic] VM2[Virtual Machine
vm-web-02
Zone 2] --> NIC2[Network Interface
vm-web-02VMNic] NIC1 --> SUBNET1 NIC2 --> SUBNET1 NIC1 --> NSG NIC2 --> NSG NIC1 --> BE NIC2 --> BE PROBE --> RULE FE --> RULE BE --> RULE %% Internal Load Balancer Branch ILB[Internal Load Balancer
lb-db-internal
Standard SKU] --> FE_INT[Frontend IP Config
frontend-db
10.0.2.10] ILB --> BE_INT[Backend Pool
backend-db
Database VMs] ILB --> PROBE_INT[Health Probe
health-probe-sql
TCP:1433] ILB --> RULE_INT[Load Balancing Rule
rule-sql
Port 1433→1433
Floating IP Enabled] FE_INT --> SUBNET2 PROBE_INT --> RULE_INT FE_INT --> RULE_INT BE_INT --> RULE_INT %% Styling style RG fill:#e8f5e8 style VNET fill:#e1f5fe style LB fill:#bbdefb style ILB fill:#c8e6c9 style VM1 fill:#fff3e0 style VM2 fill:#fff3e0 style NSG fill:#fce4ec style PIP fill:#f3e5f5

Resource Relationship Overview

🔗 Key Relationships:

Public IP → Load Balancer: Provides internet-facing endpoint
Frontend IP → Load Balancing Rule: Defines where traffic enters
Backend Pool → Load Balancing Rule: Defines where traffic is distributed
Health Probe → Load Balancing Rule: Ensures traffic only goes to healthy instances
Network Interface → Backend Pool: Associates VMs with load balancer
NSG → Network Interface: Controls traffic flow to VMs

Standard Load Balancer Setup

# Create Resource Group az group create \ --name rg-loadbalancer-prod \ --location eastus2 # Create Virtual Network and Subnet az network vnet create \ --resource-group rg-loadbalancer-prod \ --name vnet-prod \ --address-prefix 10.0.0.0/16 \ --subnet-name subnet-web \ --subnet-prefix 10.0.1.0/24 # Create Public IP for Load Balancer (Zone-redundant) az network public-ip create \ --resource-group rg-loadbalancer-prod \ --name pip-lb-prod \ --sku Standard \ --allocation-method Static \ --zone 1 2 3 # Create Standard Load Balancer az network lb create \ --resource-group rg-loadbalancer-prod \ --name lb-web-prod \ --sku Standard \ --public-ip-address pip-lb-prod \ --frontend-ip-name frontend-web \ --backend-pool-name backend-web # Create Health Probe az network lb probe create \ --resource-group rg-loadbalancer-prod \ --lb-name lb-web-prod \ --name health-probe-http \ --protocol Http \ --port 80 \ --path /health \ --interval 15 \ --threshold 2 # Create Load Balancing Rule az network lb rule create \ --resource-group rg-loadbalancer-prod \ --lb-name lb-web-prod \ --name rule-http \ --protocol Tcp \ --frontend-port 80 \ --backend-port 80 \ --frontend-ip-name frontend-web \ --backend-pool-name backend-web \ --probe-name health-probe-http \ --idle-timeout 15 \ --enable-tcp-reset true # Create Network Security Group az network nsg create \ --resource-group rg-loadbalancer-prod \ --name nsg-web-servers # Add NSG Rules az network nsg rule create \ --resource-group rg-loadbalancer-prod \ --nsg-name nsg-web-servers \ --name AllowHTTP \ --protocol Tcp \ --priority 1000 \ --destination-port-range 80 \ --access Allow az network nsg rule create \ --resource-group rg-loadbalancer-prod \ --nsg-name nsg-web-servers \ --name AllowHTTPS \ --protocol Tcp \ --priority 1010 \ --destination-port-range 443 \ --access Allow # Create Availability Set (optional, for non-zonal deployment) az vm availability-set create \ --resource-group rg-loadbalancer-prod \ --name avset-web \ --platform-fault-domain-count 2 \ --platform-update-domain-count 5 # Create Virtual Machines (example for 2 VMs) for i in {1..2}; do az vm create \ --resource-group rg-loadbalancer-prod \ --name vm-web-0$i \ --image Ubuntu2204 \ --size Standard_B2s \ --vnet-name vnet-prod \ --subnet subnet-web \ --nsg nsg-web-servers \ --zone $i \ --admin-username azureuser \ --generate-ssh-keys \ --custom-data cloud-init.txt done # Add VMs to Backend Pool for i in {1..2}; do az network nic ip-config address-pool add \ --resource-group rg-loadbalancer-prod \ --nic-name vm-web-0${i}VMNic \ --ip-config-name ipconfig1 \ --lb-name lb-web-prod \ --address-pool backend-web done # Create Outbound Rule (for explicit outbound connectivity) az network lb outbound-rule create \ --resource-group rg-loadbalancer-prod \ --lb-name lb-web-prod \ --name outbound-rule \ --frontend-ip-configs frontend-web \ --protocol All \ --backend-pool backend-web \ --allocated-outbound-ports 10000

Internal Load Balancer for Backend Services

# Create Internal Load Balancer for Database Tier az network lb create \ --resource-group rg-loadbalancer-prod \ --name lb-db-internal \ --sku Standard \ --vnet-name vnet-prod \ --subnet subnet-db \ --frontend-ip-name frontend-db \ --backend-pool-name backend-db \ --private-ip-address 10.0.2.10 # Create Health Probe for SQL Server az network lb probe create \ --resource-group rg-loadbalancer-prod \ --lb-name lb-db-internal \ --name health-probe-sql \ --protocol Tcp \ --port 1433 \ --interval 5 \ --threshold 2 # Create Load Balancing Rule for SQL az network lb rule create \ --resource-group rg-loadbalancer-prod \ --lb-name lb-db-internal \ --name rule-sql \ --protocol Tcp \ --frontend-port 1433 \ --backend-port 1433 \ --frontend-ip-name frontend-db \ --backend-pool-name backend-db \ --probe-name health-probe-sql \ --load-distribution SourceIP \ --enable-floating-ip true

🔄 Configuration Order and Dependencies

graph TD A[1. Create Resource Group
az group create] --> B[2. Create Virtual Network
az network vnet create] B --> C[3. Create Subnets
Included in vnet create] C --> D{4. Load Balancer Type} D -->|Public| E[5a. Create Public IP
az network public-ip create
Standard SKU + Zones] D -->|Internal| F[5b. Skip Public IP
Use private IP instead] E --> G[6. Create Load Balancer
az network lb create] F --> G G --> H[7. Frontend IP Config
Created with LB
or az network lb frontend-ip create] H --> I[8. Create Backend Pool
Created with LB
or az network lb address-pool create] I --> J[9. Create Health Probes
az network lb probe create] J --> K[10. Create LB Rules
az network lb rule create
Links: Frontend + Backend + Probe] %% Parallel Infrastructure Tasks L[Parallel: Create NSG
az network nsg create] --> M[Add NSG Rules
az network nsg rule create] M --> N[Create Availability Set
az vm availability-set create] N --> O[Create Virtual Machines
az vm create
Associate with NSG + Subnet] K --> P[11. Add VMs to Backend Pool
az network nic ip-config address-pool add] O --> P P --> Q[12. Create Outbound Rules
az network lb outbound-rule create
Control SNAT behavior] Q --> R[13. Configure Monitoring
az monitor diagnostic-settings create] R --> S[14. Test & Validate
Verify health probes + connectivity] %% Critical Dependencies T[Dependencies] --> T1[VNet must exist before LB] T --> T2[Probes before LB Rules] T --> T3[Backend Pool before adding VMs] T --> T4[NSG before VM creation] style A fill:#e8f5e8 style D fill:#fff3e0 style G fill:#bbdefb style K fill:#f3e5f5 style P fill:#fce4ec style S fill:#e1f5fe style T fill:#ffebee

sequenceDiagram participant Admin as Administrator participant CLI as Azure CLI participant ARM as Azure Resource Manager participant LB as Load Balancer participant VM as Virtual Machine Admin->>CLI: az group create CLI->>ARM: Create resource group ARM-->>CLI: Resource group created Admin->>CLI: az network vnet create CLI->>ARM: Create virtual network + subnet ARM-->>CLI: Network infrastructure ready Admin->>CLI: az network public-ip create CLI->>ARM: Allocate public IP (Standard SKU) ARM-->>CLI: Public IP allocated Admin->>CLI: az network lb create CLI->>ARM: Create load balancer with frontend/backend ARM->>LB: Initialize load balancer LB-->>ARM: Load balancer ready ARM-->>CLI: Load balancer created Admin->>CLI: az network lb probe create CLI->>ARM: Configure health probe ARM->>LB: Add health monitoring LB-->>ARM: Probe configured Admin->>CLI: az network lb rule create CLI->>ARM: Create load balancing rule ARM->>LB: Link frontend→backend with probe LB-->>ARM: Rule active Admin->>CLI: az vm create (multiple) CLI->>ARM: Deploy virtual machines ARM->>VM: Initialize VMs with NICs VM-->>ARM: VMs ready Admin->>CLI: az network nic ip-config address-pool add CLI->>ARM: Associate VMs with backend pool ARM->>LB: Register backend targets LB->>VM: Start health probing VM-->>LB: Health status response LB-->>ARM: Backend pool updated Admin->>CLI: Test connectivity CLI->>LB: Send test traffic LB->>VM: Distribute traffic based on rules VM-->>LB: Application response LB-->>CLI: Traffic flow successful

🔧 Configuration Best Practices:

Pre-planning: Design your network topology and IP addressing scheme first
Security First: Create NSGs and rules before deploying VMs
Health Probes: Configure appropriate probe intervals and thresholds
Testing: Validate each component before moving to the next step
Monitoring: Enable diagnostics and metrics from the beginning

⚠️ Critical Order Dependencies:

Virtual Network must exist before Load Balancer creation
Health Probes must be created before Load Balancing Rules
Backend Pool must exist before adding VMs to it
NSG rules should be configured before VM deployment

📈 Monitoring and Troubleshooting

# Enable Diagnostic Settings az monitor diagnostic-settings create \ --resource-group rg-loadbalancer-prod \ --name lb-diagnostics \ --resource lb-web-prod \ --resource-type Microsoft.Network/loadBalancers \ --logs '[{"category":"LoadBalancerAlertEvent","enabled":true},{"category":"LoadBalancerProbeHealthStatus","enabled":true}]' \ --metrics '[{"category":"AllMetrics","enabled":true}]' \ --workspace /subscriptions/{subscription-id}/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-monitoring # Check Load Balancer Health az network lb show \ --resource-group rg-loadbalancer-prod \ --name lb-web-prod \ --query "provisioningState" # View Backend Pool Health az network lb probe show \ --resource-group rg-loadbalancer-prod \ --lb-name lb-web-prod \ --name health-probe-http # Test Connectivity az network lb list-mapping \ --resource-group rg-loadbalancer-prod \ --name lb-web-prod